print Printer View e-mail E-mail this page Bookmark Bookmark
Back to the Oracle Database Security home page

Choosing A Secure Password

Choosing secure passwords and implementing good password policies are by far the most important defense for protecting against password based security threats. Oracle recommends customers use passwords with at least 10 characters in length. In addition, the complexity of the password is critical. Passwords that are based on words are vulnerable to a "Dictionary attacks". A complex password should contain:

  • At least 10 characters
  • A mixture of letters and numbers
  • Mixed case letters (Oracle Database 11g)
  • Include symbols (pre-Oracle Database 11g allows "_", "$" and "#")
  • Little or no relation to an actual word

Although there is no substitute for a strong, complex password, the following techniques could be used to generate longer passwords from a shorter, easier to remember password. Note that Oracle Database 11g supports mix-case passwords.

  • Create passwords from the 1st letters of the words of an easy-to-remember sentence: 'I usually work until 6 almost every day of the week' would become 'Iuwu6aedotw'
  • Combine 2 weaker passwords like: "welcome1" and "tiger" into "WelTigerCome1"
  • Repeat a character at the beginning or end of the password
  • Prepend or append a string of some sort
  • Prepend or append another password
  • Append PART of the same password
  • Double some or all of the letters: "welcome13" → "wwellCcooMmee13"

Using a random technique from this list can increase the work that an attacker must do before they can crack a password.

Oracle also recommends customers enforce password expiration and reuse policies using Oracle profiles and follow best practices defined by Oracle Applications. Oracle Database 11g made it easy to configure password policies during database install. For example, during install, customers can decide to limit the number of times a user can input incorrect passwords before getting his/her account temporarily deactivated. Oracle Database auditing can also be used to monitor account logins.

Oracle Database Enterprise User Security (EUS) leverages Oracle Identity Management to centrally store and manage database passwords. EUS supports password based authentication starting with Oracle9i Release 2. In addition, EUS started supporting SHA-1 hashes with Oracle Database 10g Release 1. Please note that centralized password based authentication requires a license of Oracle Identity Management Directory Services.

For customers who are concerned about password based authentication, can optionally use advanced authentication technologies Kerberos, SSL, or Radius. These are available with the Oracle Advanced Security Option.
 
Learn More
· Oracle by Example: Database Security

Security Options
· Oracle Database Vault
· Oracle Advanced Security
· Oracle Label Security
· Oracle Secure Backup

Security Features
· Data Encryption
· Virtual Private Database
· Database Auditing
· Backup Encryption
· Proxy Authentication
· Enterprise User Security
· Secure Application Roles
· Fine Grained Auditing

Related Technologies
· Audit Vault
· Secure Backup
· Configuration Management
· Information Rights Management
· Identity Management

Previous Releases
· Oracle10g R2 Security
· Oracle9iR2 Security
· Oracle9i Security

Discussion Forums
· Audit Vault
· Security
· Database
E-mail this page
Printer View Printer View
Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Privacy